Closed Bug 665418 Opened 14 years ago Closed 14 years ago

Firebug 0-day posted to Full-Disclosure

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

Windows version of PoC
444 bytes, text/html
Details
Linux version (original)
428 bytes, text/html
Details
Firebug 0-day was posted to the full-disclosure mailing list today http://seclists.org/fulldisclosure/2011/Jun/394 Completely unclear what version of Firefox and Firebug are involved, still testing various combinations. - - - - - - - - - - 80vul.com discovered firebug that a famous firefox extension is vulnerable to Cross Context Scripting, and this vul can execute evil codz in the chrome privileged Firefox zone.so successful exploitation allows execution of arbitrary code in user’s system. *Exploitation* a demo : http://www.80vul.com/firefox/firebug0day.htm Open the firebug, and visite the exploit's URL, then open "NET" -->URL-->"HTML" , and gcalctool is executed.
Attached file Windows version of PoC
I could not reproduce using any of the following combinations (on Windows) Firebug Firefox 1.6.2 3.6.18 1.7.2 3.6.18 1.7.2 4.0.1 1.7.2 nightly (few days old)
will see if i can reproduce this
also not able to reproduce up to Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko Firefox/5.0 build id: BuildID=20110615151330 and firebug 1.7.2 - only error i got in the error console is: Error: Permission denied for <https://bug665418.bugzilla.mozilla.org> to get property XPCComponents.classes Source File: https://bug665418.bugzilla.mozilla.org/attachment.cgi?id=540402 Line: 1
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Reopening... bug 665369 seems to be about the fix that worked in Firebug 1.8 not working in Firebug 1.7, not the exploit itself. Maybe this "depends on" that one, or maybe they fix the exploit some other way (e.g. removing the NET tab entirely, for one unlikely approach).
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
I can reproduce this on 4.0.1 (Mac) and 5.0 Beta (Mac) with Firebug 1.7.2. Is the Firebug team aware of this?
BTW, there's a typo in the dependency bug number. I don't have access so I can't correct it.
Version 1.7.3 has been approved and pushed to the public. It should appear on the site within the hour and be pushed to most users within a few days. This version basically disabled the HTML section of the Net tab.
Depends on: 665369
I see 1.7.3 on the site, calling this fixed.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
More info: http://code.google.com/p/fbug/issues/detail?id=4553 A clearer test case: https://fbug.googlecode.com/svn/tests/content/branches/1.8/net/4553 Note that evidence of a successful exploit here is Firefox > Tools > Error Console message about file name problems when you click on the HTML tab in the url of the net panel. If you just load the page you will get a permission denied message from the copy of the HTML running in the Firefox tab. Only after you drill down in Firebug will you get the exploit message. Firebug 1.7.3 had to disable the HTML tab because 1.7 supports FF3.6. Firebug 1.8 (supporting FF4.0 and 5.*) restores the HTML tab because FF4.0+ does not suffer bug 665369. I don't believe any further action is needed on this bug.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: